Netflow codec plugin v3.12.0

Getting Help

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.
For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

The "netflow" codec is used for decoding Netflow v5/v9/v10 (IPFIX) flows.

Supported Netflow/IPFIX exporters

This codec supports:

Netflow v5

Netflow v9

IPFIX

The following Netflow/IPFIX exporters are known to work with the most recent version of the netflow codec:

Usage

Example Logstash configuration that will listen on 2055/udp for Netflow v5,v9 and IPFIX:

input {
udp {
port => 2055
codec => netflow
}
}

For high-performance production environments the configuration below will decode up to 15000 flows/sec from a Cisco ASR 9000 router on a dedicated 16 CPU instance. If your total flowrate exceeds 15000 flows/sec, you should use multiple Logstash instances.

Note that for richer flows from a Cisco ASA firewall this number will be at least 3x lower.

cache_save_path

Enables the template cache and saves it in the specified directory. This
minimizes data loss after Logstash restarts because the codec doesn’t have to
wait for the arrival of templates, but instead reload already received
templates received during previous runs.